Email spoofing: forging the sender of an email (the From header) so it appears to come from an executive, a colleague or a supplier. It is the variant with the highest financial impact on businesses and the usual entry point for Business Email Compromise.
What is spoofing
Spoofing is the technical forgery of an identity: making an email, a phone call, a network packet or a domain appear to come from a legitimate source when it does not. Unlike the purely human deception of social engineering, spoofing manipulates the protocols themselves: it forges the sender of an email, the caller ID of a phone call, the source IP address of a packet or the response of a DNS server. It is the technical layer on which many phishing and fraud attacks are built: the message deceives because the channel says it comes from someone it does not. For a business, by far the most relevant variant is email spoofing, because email remains the channel where payments are ordered and invoices are exchanged.
Why it matters
Because trust in the sender underpins almost every business process that runs over email: approvals, invoices, payroll changes, payment orders. The original SMTP protocol does not verify who is sending, so without additional controls anyone can send an email "from" your company's domain — to your employees, your customers or your suppliers — without having compromised a single account. That asymmetry explains why email fraud causes more direct financial losses than ransomware in many annual reports: it needs no malware, no exploit, no intrusion; just a credible message at the right moment. The defences exist and are standardised: SPF declares which servers may send on behalf of your domain, DKIM cryptographically signs messages, and DMARC tells receiving servers what to do when something does not add up, while also generating reports on who is attempting to use your domain. Publishing them badly — or leaving them in monitoring mode indefinitely — creates a false sense of protection: the domain looks covered on paper, but forged messages keep landing in your customers' inboxes.
Key points
Domain spoofing and lookalike domains: besides forging the exact domain, the attacker can register visually similar variants (typosquatting, homoglyphs, a different TLD) that pass filters because they are technically legitimate domains — they just belong to the attacker.
Caller ID and SMS spoofing: forging the number displayed on a call or the sender of a text message. It is the basis of vishing and smishing: the bank "calling you" from its real number, or the SMS that slips into the legitimate thread from your carrier or courier.
Network spoofing: forging the source IP (common in reflection DDoS attacks), poisoning ARP tables to intercept traffic on the local network, or manipulating DNS responses to redirect the victim to attacker-controlled servers. Encryption and digital certificates are the key countermeasure against interception.
SPF, DKIM and DMARC: the email authentication trio. SPF lists the servers authorised to send for your domain, DKIM adds a verifiable cryptographic signature, and DMARC defines the policy on failure (none, quarantine, reject) and generates reports on how your domain is being used.
GPS and other physical spoofing: forging positioning or sensor signals affects logistics, maritime and drones. Less common for SMEs, but it illustrates the general principle: any channel that does not authenticate its origin can be impersonated.
Example: the supplier invoice with a changed IBAN
The finance team at a construction company receives an email from its regular materials supplier: same trade name, same corporate signature, same subject thread as the pending invoice. The message announces a change of bank and attaches the usual invoice with a new IBAN. The email does not come from the supplier: the sender's domain is forged because the supplier has no DMARC, and the attacker knew about the business relationship from a mailbox compromised weeks earlier. Finance updates the IBAN and pays 68,000 euros. The fraud surfaces three weeks later, when the real supplier chases the payment.
The defences that break this scenario are concrete: DMARC at reject on your own domain (and requiring it of critical suppliers) so the forged email never arrives; an administrative procedure that forces every bank account change to be verified through a channel other than email — a call to the number you have always used, not the one in the message —; and visible banners on messages arriving from outside the organisation. A controlled phishing exercise shows whether the finance team would spot the deception before someone tries it for real, and a review of your corporate email configuration closes the SPF, DKIM and DMARC gaps that make the impersonation possible.
Common mistakes
- Believing that publishing SPF settles the matter. SPF validates only one aspect of sending, breaks on forwarding and does not protect what the user sees in the From field. Without DKIM and an effective DMARC policy, the domain remains forgeable in practice.
- Leaving DMARC at p=none indefinitely. Monitoring mode is a starting point to avoid breaking legitimate mail, not a destination: if you never move to quarantine or reject, forged messages keep being delivered and the policy only produces reports nobody reads.
- Forgetting secondary and parked domains. Domains registered for campaigns or brand protection that send no mail also need restrictive SPF and DMARC records; otherwise they are the perfect vehicle for impersonating the company without touching the main domain.
- Confusing spoofing with a compromised account. If the attacker controls the real mailbox, SPF, DKIM and DMARC will validate their messages without objection, because they leave the legitimate server. That scenario calls for other defences: MFA, conditional access and mailbox monitoring.
- Relying entirely on technical controls and not on process. No DMARC policy stops a payment being approved on the strength of an email from a lookalike domain registered yesterday. Out-of-band verification of payments and account changes is the control that still works when the technical one fails.
Related services
This concept may be related to services such as:
Frequently asked questions
What is the difference between spoofing and phishing?
Spoofing is the impersonation technique: forging the sender, the number or the source address. Phishing is the complete attack that aims to deceive the victim into giving up credentials or money, and it often uses spoofing to appear credible. There can be spoofing without phishing (forging an IP in a DDoS) and phishing without spoofing (a lookalike domain registered by the attacker).
Does DMARC stop all email spoofing?
It stops exact forgery of your domain when the policy is quarantine or reject and receivers enforce it. It does not protect against lookalike domains registered by the attacker, nor against compromised legitimate mailboxes, nor against senders with a deceptive display name over an unrelated domain. It is an essential control, but it works alongside training and payment verification procedures, not instead of them.
How can I tell whether my company's domain is being spoofed?
By enabling DMARC reporting: receiving servers send daily aggregate reports showing which IP addresses are sending mail on behalf of your domain and whether authentication passes or fails. With an analysis tool for those reports you can separate legitimate sending (your server, your marketing platform) from abuse. Monitoring registrations of lookalike domains completes the watch against typosquatting.
Should an SME worry about ARP or DNS spoofing?
Less than about email spoofing, but it is not theoretical. ARP spoofing requires the attacker to be inside the local network — or on the same Wi-Fi — which is plausible in offices with poorly segmented guest Wi-Fi. DNS spoofing is mitigated by using trusted resolvers and DNSSEC where possible. End-to-end TLS encryption means that, even if intercepted, traffic cannot be read or altered without raising alerts.